Creating Custom Httphandler In Web.config: Am I At Risk Of Exposing A 'Padding Oracle' Vulnerability?
Oct 29, 2010
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
View 2 Replies
Similar Messages:
Sep 29, 2010
Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
The errors logged on the server are
System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: [ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90
to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.
View 3 Replies
Feb 20, 2011
I've looked around for some tutorials, but everything I see is how to use REST services with my app. But that's not really what I need, I'm not doing basic GET requests, the end user needs to do some complicated calculations with several classes and variables from my web service.
In a Web Forms app, I would just add a Web Services solution and do everything in there. Is that the recommended solution for an MVC app?
View 2 Replies
Feb 24, 2011
We need to expose some services (i.e. AddressValidatorService, CustomerFinderService) that currently reside in an ASP.NET application to other applications within our organization. Exposing these services via WCF seems like a natural fit, but I don't see any best-practices for how to pull these common services into a WCF wrapper in such a way that my existing ASP.NET application can continue to use them with minimal code changes and/or awareness that the service they are consuming is no longer in-process. I'm especially looking for recommendations on how to structure the existing ASP.NET solution and whether to host our new WCF in the same solution or in some new shared WCF solution referenced by both our ASP.NET application and external callers.Also, is it bad practice to simply promote the DTOs currently only consumed in-process via ASP.NET to full fledged data contracts or is it preferable to create duplicate DTOs that are explicitly decorated with [DataContract]?
View 3 Replies
Oct 4, 2010
We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:
CryptographicException
Padding is invalid and cannot be removed.
When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:
Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)
View 2 Replies
Jun 27, 2010
How to set padding-left to my custom textbox in css?
View 1 Replies
Apr 1, 2010
I have an website in IIS 6.0 (windows 2003). Inside that I had configured another application (As IIS Application).
Now, When I uncommend a "add verb" tag in main web.config file, the webservice inside the application throws "404 file not found exception" Is there anything which I need to update in child web.config?
View 1 Replies
Jul 17, 2010
I have the following text in web.config file in ASP.NET 3.5:
<httpHandlers>
<add verb="*" path="CaptchaImage.aspx" type="AspCaptcha.CaptchaHandler, AspCaptcha"/>
</httpHandlers>
View 1 Replies
Mar 23, 2010
Is there a way I can dynamically register an IHttpHandler in C# code, instead of having to manually add it to the system.web/httpHandlers section in the web.config.
This may sound crazy, but I have good reason for doing this. I'm building a WidgetLibrary that a website owner can use just by dropping a .dll file into their bin directory, and want to support this with minimal configuration to the web.config.
View 2 Replies
Mar 27, 2010
I am in the process of moving all of the images in my web application over to a CDN but I want to easily be able to switch the CDN on or off without having to hard code the path to the images. My first thought was to add an HttpHandler for image extensions that depending whether a variable in the web.config (something like ) will serve the image from the server or from the CDN. But after giving this a little though I think I've essentially ruled this out as it will cause ASP.NET to handle the request for every single image, thus adding overhead, and it might actually completely mitigate the benefits of using a CDN.
An alternative approach is, since all of my pages inherit from a base page class, I could create a function in the base class that determines what path to serve the files from based off the web.config variable. I would then do something like this in the markup:
<img src='<%= GetImagePath()/image.png' />
I think this is probably what I'll have to end up doing, but it seems a little clunky to me. I also envision problems with the old .NET error of not being able to modify the control collection because of the "<%=" though the "<%#" solution will probably work.
View 8 Replies
Feb 18, 2011
Is it possible to register a custom httphandler in a stand alone assembly? I'm writing a control toolkit that uses httphandlers to perform AJAX and I would like to make the use of the toolkit as low friction for the web developers as possible. There will be quite a few handlers and I dont want the developer to have to register them all in the web.config.
View 2 Replies
Apr 14, 2010
I'm writing a multi-tenant app that will receive requests like http://www.tenant1.com/content/images/logo.gif and http://www.anothertenant.com/content/images/logo.gif. I want the requests to actually map to the folder location /content/tenant1/images/logo.gif and /content/anothertenant/images/logo.gif
I'm using asp.net Mvc 2 so I'm sure there's probably a way to setup a route to handle this or a custom route handler?
View 2 Replies
Feb 17, 2011
I have an HttpModule and I'd like to choose the HttpHandler for the current request, is that possible? Also web.config is not an option because the condition is not based on path or extension. My googling skills have failed me, no matter what keywords I use all the results are "IHttpHandler vs IHttpModule".
View 3 Replies
Sep 1, 2010
I am currently working on the connection between ASP.NET and Oracle. I tried to search over the net and know there are many ways. Is there any 'normal practice' on which method to be used? Or it depends?
View 1 Replies
Mar 22, 2011
I developed a .Net 3.5 x64 web application that includes a custom HttpHandler in the config:
<add path="*.class1" verb="GET" type="ClassLibrary1.Class1Handler"/>
This works when the platform target for ClassLibrary1 is set at x86.
However, when I set this to x64 I get the following error when I run web application starts (it compiles just fine): Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: Could not load file or assembly 'ClassLibrary1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attempt was made to load a program with an incorrect format.
Does this mean that a HttpHandler can be compiled at x86 only?That doesn't make much sense to me.Does anyone have an idea of what could be going on?Edit 1:The ClassLibrary1 project is just an empty class library project with a single HttpHandler added (which is also empty).Edit 2:I am also getting these warning messages when compiling, I am pretty sure they have something to do with this problem: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor HttpTestEdit 3:I manually edited the project file to force references to the x64 assemblies, like this:
<Reference Include="$(Windir)Microsoft.NETFramework64v2.0.50727System.dll"/>
This does supress the above warning message, but the problem isn't resolved.
View 2 Replies
Aug 29, 2010
I'm trying to get custom HttpHandler working in my sample web application. I've been experiencing a lot of issues, but finally got stuck with error 500. Application pool is being run in Classic ASP.NET 2.0 mode. Server is IIS 7.5, OS is Win 7 Pro.
Here's a code of my handler:
[Code]....
View 1 Replies
Jun 8, 2010
I'm using a custom ashx HttpHandler to retrieve gif images from a database and show it on a website - when the image exists, it works great.
However, there are cases when the image will not exist, and I'd like to have the html table holding the image to become invisible so the "image not found" icon is not shown.
[code]...
View 4 Replies
Jan 4, 2010
I create a custom http handler to block download of .wmv files e.g. www.pakdev.net/videos/file.wmv (blocked by httpHandler).
But the problem is that now silverlight cannot also stream these video files as they are blocked too.
View 1 Replies
Jan 4, 2010
On my website, www.pakdev.net, I create screencasts to which are streamed through silverlight.
I create a custom handler to block the download of .wmv files from the url like [URL]
But the problem is now the silverlight has also stopped streaming files.
View 1 Replies
Feb 1, 2010
VB.NET 2.0, windows forms applications. I have two applications, A and B. A accesses a remote Oracle database already, B needs to access a different database, but also Oracle, from the same outside source.So, I thought it would be easy; copy code to connect, change the query, and off we go. But I keep getting the old ORA-12154 error that it can't resolve the connect identifier.First, I developed the query usng sql plus connecting to the target database. So, I know the machine has appropriate entries in tnsnames.ora.Second, I cut-and-pasted the block of code from B into A and gave A a test. It successfully connects and runs the query. So, I know that the data source, user id, password and sql are o.k.Third, I looked in the registry (HKEY_LOCAL_MACHINESOFTWAREOracle) and found the all ORACLE_HOME paths that were set up. Went down all those paths to insure the tnsnames file had my new connection defined.Fourth, I'm able to find the database B is trying to get to via tnsping from the command prompt.Fifth, I copied the connection string from A to B, just to see if it could connect to the database A is known to connect to. Same exception.So, everything connects everywhere except B, who cannot get to Oracle at all. I just can't find what's telling B to use a different tnsnames file (maybe?).Missing something obvious, no doubt.[Edit]I realized overnight I hadn't shown how I was connecting. (The exception is thrown trying to open the connection.) Pretty simple:
[Code]....
[Code]....
View 2 Replies
Feb 11, 2010
I'm stumped after a few days of searching and trying to create a Data Source to Oracle for a report under Visual Studio 2005. I followed the guide at
[URL]
I am able to connect through the Server Explorer to our Oracle database using both .NET Framwork Data Provider for Oracle and Oracle Data Provider for .NET. I can execute queries on both of these and retrieve data.
The problems start when I try to create a data source under the Solution Explorer. I have created a Business Intelligence project on my local computer.
Data Source Wizard Select Create a data source based on an existing or new connection. Click New... Here the Provider is disabled and it appears defaulted to SqlClient Data Provider. All I can do is connect to a MSSQL server.
How can I connect to an Oracle database here?
View 5 Replies
Jun 22, 2010
I'm trying to secure my web application so XML files it contains can't be downloaded. I thought it would be as simple as adding these to the "httpHandlers" section of web.config:
<remove verb="*" path="*.xml"/>
<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler"/>
This failed - the XML files could still be downloaded easily. I tried different browsers in case they were caching, but everything could download the XML files without any trouble. I thought this might be due to some special handling of XML, so I tried mocking up an alternative based on ".txt123" files. I added this file with some dummy content:
[code]....
View 1 Replies
Mar 8, 2011
We have a handler to deal with .dat files.. everything is already setup and server is acknowledging the file type and doing its thing to handle it..
But the handler requires 1 bit of information along with the HTTP request which is a physical file path.. the file name it knows based on the file we call , but how can i pass a custom header along with the request so that the handler will use that when the request is made?
Basically when on our player.aspx page, i will have a button, when you click that button a request is made to the .dat file, but along with that request i need to send the physical file path.. how can i do that?
View 3 Replies
Nov 29, 2010
I am creating a custom control by inheriting a server control, say LinkButton. There are properties like "BorderColor" available in LinkButton. Let's say, I don't want this particular property to be available when I create an instance of the custom control.
I want to completely hide this particular property (I don't want to override it but disable it.)
My code is as follows:
[Code]....
View 3 Replies
Jul 12, 2013
with this code website works perfect
<configuration>
<system.web>
<httpHandlers>
</httpHandlers>
</system.web>
</configuration>
but when I add
<add path="ThumbHandler.ashx" verb="*" type="Delshad.WebControls.ThumbHandler,Delshad.ThumbPic"/>
or
<add verb="GET" path="CaptchaImage.axd"
type="MSCaptcha.CaptchaImageHandler, MSCaptcha" />
in httphandlers section when I go in my site it is only a blank page!
before In other two host there wasent problem but this is a new host and I face with this problem.also in local there isn't any problem.
View 1 Replies